A Firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. SD-WAN Orchestrator supports configuration of stateless and stateful Firewalls for Profiles and Edges.
For more information on Firewall, see Configure Firewall.
To configure Firewall using the New Orchestrator UI:
- In the Enterprise portal, click the Open New Orchestrator UI option available at the top of the window.
- Click Launch New Orchestrator UI in the pop-up window.
- The UI opens in a new tab displaying the monitoring and configuring options.
- In the new UI, click Profiles page displays the existing Profiles. . The
- To configure a Profile, click the link to the Profile or click the View link in the Device column of the Profile. The configuration options are displayed in the Device tab.
- Click the Firewall tab.
From the Profiles page, you can navigate to the Firewall page directly by clicking the View link in the Firewall column of the Profile.
- The Firewall tab displays the following:
- Edge Access - Allows you to configure a Profile for Edge access. You must make sure to select the appropriate option for Support access, Console access, USB port access, SNMP access, and Local Web UI access under Firewall settings to make the Edge more secure. This will prevent any malicious user from accessing the Edge. By default, Support access, Console access, SNMP access, and Local Web UI access are deactivated for security reasons. For more information, see Configuring Edge access.
- Firewall Status - Allows you to turn ON or OFF the Firewall rules, configure Firewall settings, and in-bound ACLs for all Edges associated with the Profile.
Note: You can deactivate the Firewall function for Profiles by turning the Firewall Status to OFF.
- Syslog Forwarding - By default, the Syslog Forwarding feature is deactivated for an Enterprise. To collect SD-WAN Orchestrator bound events and Firewall logs originating from Enterprise SD-WAN Edge to one or more centralized remote Syslog collectors (Servers), an Enterprise user must activate this feature at the Enterprise level. To configure Syslog collector details per segment in the SD-WAN Orchestrator, see Configure Syslog Settings for Profiles.
Note: You can view both IPv4 and IPv6 Firewall logging details in a IPv4-based Syslog Server.
- Firewall Rules - The existing pre-defined Firewall rules are displayed. You can click + NEW RULE to create a new Firewall rule. For more information, see Configure Firewall Rule with New Orchestrator UI.To delete existing Firewall rules, select the checkboxes prior to the rules and click DELETE. To duplicate a Firewall rule, select the rule and click CLONE.
- Stateful Firewall - By default, the Stateful Firewall feature is activated for an Enterprise. To deactivate the Stateful Firewall feature for an Enterprise, contact an Operator with Super User permission. For more information, see Configuring Stateful Firewall Settings.
- Network & Flood Protection - To secure all connection attempts in an Enterprise network, VMware SD-WAN Orchestrator allows you to configure Network and Flood Protection settings at the Profile and Edge levels, to protect against the various types of attacks. For more information, see Configuring Network and Flood Protection Settings.
By default, all the Edges inherit the Firewall rules, Stateful Firewall settings, Network and Flood Protection settings, and Edge access configurations from the associated Profile. Under the
Firewall tab of the
Edge Configuration dialog, you can view all the inherited Firewall rules in the
Rule From Profile area. Optionally, at the Edge-level, you can also override the Profile Firewall rules and Edge access configuration by following the steps below.
- In the new UI, click .
- Select an Edge for which you want to override the inherited Firewall settings and click on the Firewall tab.
- Select the Override checkbox if you want to modify the inherited profile rules and Firewall settings for the Edge.
Note: The override rules will appear in the Edge Overrides area. The Edge override rules will take priority over the inherited Profile rules for the Edge. Any Firewall override match value that is the same as any Profile Firewall rule will override that Profile rule.
- At the Edge level, you can configure Port Forwarding and 1:1 NAT IPv4 or IPv6 rules individually by navigating to Additional Settings > Inbound ACLs. For detailed imformation about configuring Port Forwarding and 1:1 NAT rules, see Configure Firewall for Edges.
Note: When configuring IPv6 Port Forwarding and 1:1 NAT rules, you can enter only Global or Unicast IP address and cannot enter Link Local Address.